0e0b159fb42b06515c55e17eeba811fa4c46d87db89e821070b840303e063729

Analysis

max time kernel
146s
max time network
41s
platform
windows7_x64
resource
win7v200430
submitted
15/07/2020, 13:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

BTL GLOBAL LONG OVERDUE PAYMENT.exe
Size

1.3MB
MD5

fda41b6c829f05a7ffbee54fa50e1dff
SHA1

b72190a44238a46cbf838d0bfbfa90ddcf48fec6
SHA256

0e0b159fb42b06515c55e17eeba811fa4c46d87db89e821070b840303e063729
SHA512

10a5f3c19cd6502562d8425e50e14df54c3b52057a570504ce20813e118859250afb3a4041a2f4e81cd308cd4604de38653c0247badda8f463ca50dbe67485db

Score

1^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 1800	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	26
PID 1252 wrote to memory of 1800	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	26
PID 1252 wrote to memory of 1800	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	26
PID 1252 wrote to memory of 1800	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	26
PID 1252 wrote to memory of 1836	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	28
PID 1252 wrote to memory of 1836	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	28
PID 1252 wrote to memory of 1836	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	28
PID 1252 wrote to memory of 1836	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	28
PID 1252 wrote to memory of 1836	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	28
PID 1252 wrote to memory of 1836	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	28
PID 1252 wrote to memory of 1836	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	28
PID 1252 wrote to memory of 1748	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	29
PID 1252 wrote to memory of 1748	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	29
PID 1252 wrote to memory of 1748	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	29
PID 1252 wrote to memory of 1748	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	29
PID 1252 wrote to memory of 1748	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	29
PID 1252 wrote to memory of 1748	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	29
PID 1252 wrote to memory of 1748	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	29
PID 1252 wrote to memory of 1756	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	30
PID 1252 wrote to memory of 1756	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	30
PID 1252 wrote to memory of 1756	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	30
PID 1252 wrote to memory of 1756	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	30
PID 1252 wrote to memory of 1756	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	30
PID 1252 wrote to memory of 1756	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	30
PID 1252 wrote to memory of 1756	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	30
PID 1252 wrote to memory of 1780	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	31
PID 1252 wrote to memory of 1780	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	31
PID 1252 wrote to memory of 1780	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	31
PID 1252 wrote to memory of 1780	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	31
PID 1252 wrote to memory of 1780	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	31
PID 1252 wrote to memory of 1780	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	31
PID 1252 wrote to memory of 1780	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	31
PID 1252 wrote to memory of 368	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	32
PID 1252 wrote to memory of 368	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	32
PID 1252 wrote to memory of 368	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	32
PID 1252 wrote to memory of 368	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	32
PID 1252 wrote to memory of 368	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	32
PID 1252 wrote to memory of 368	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	32
PID 1252 wrote to memory of 368	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe	32

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe
1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe
1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe
1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe
1252	BTL GLOBAL LONG OVERDUE PAYMENT.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1800	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\BTL GLOBAL LONG OVERDUE PAYMENT.exe
"C:\Users\Admin\AppData\Local\Temp\BTL GLOBAL LONG OVERDUE PAYMENT.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1252
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EqqinnUnRu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7722.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:1836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:1748
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:1756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
  "{path}"
  2⤵
  PID:368

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads